WordPress Blogs Attacked: What You Need to Know

By April 16, 2013 Security News 6 Comments

Reports of an attack against WordPress and Joomla sites spread through the tech community this weekend, as a large botnet launched brute-force, dictionary-based login attempts on user accounts. According to researchers at hosting companies like CloudFlare and HostGator, some 90,000 IP addresses were involved in the latest series of attacks, leading them to speculate that the overarching goal is to expand the botnet of infected computers to potentially create a super botnet. With some 18% of websites running WordPress, the potential scale is enormous.

Although the attack is no longer breaking news, we wanted to alert LastPass users and clarify what you should know:

  • The attack is focusing on common account usernames – admin, test, administrator, Admin, root – and is systematically testing common passwords to break in to accounts with those usernames. The top five passwords attempted in the hack are “admin,” “123456,” “111111,” “666666,” and “12345678.”
  • The goal is not a data dump of user accounts – this is a large-scale attack that aims to take over a user’s machine, using the server as a stepping stone in order to add it to the botnet’s arsenal. A network of compromised machines can wreak havoc in a distributed denial-of-service (DDoS) attack.
  • If you are a WordPress user using CloudFlare, you are protected from the latest attack, according to their blog post.

The best steps LastPass users can take at this time:

  • If you’re still using a default username on your WordPress account, change it immediately.
  • To be on the cautious side, change your WordPress passwords immediately, especially if you are using a common password, as WordPress founder Matt Mullenweg noted on his blog.
  • Use LastPass to generate a strong, unique password for your account(s). The LastPass security check, in the Tools menu of the LastPass Icon, will also help you identify weak or duplicate passwords on other accounts.
  • If you’re using a WordPress.com account, activate two-factor authentication.

We’ll update our users if any further action should be taken. As always, be vigilant and protect your most important accounts.


  • DrJoeRoss says:

    I BELIEVE THERE IS ANOTHER ISSUE ONE CREATED BY LAST-PASS. All day I have been unable to create a POST on my wordpress stie because any post I create starts with a title I did not type and is in Password Protected mode with a password I did not type either! If I turn off the password on wordpress and make the post public, when I save it it reverts to Password protected despite my changes. So I can never create a public post. HOWEVER, when I turned OFF last pass on chrome extensions, I could then change the post to public.

    • Amber Gott says:

      Hi Joe: It sounds like LastPass saved an extra field and is filling in the title with that saved information. Please delete and re-save your WordPress login to fix the issue.

  • Anonymous says:

    When I got an email from my web host Powweb warning me of the WordPress attack I wasn’t too concerned. I launched LastPass and looked at my password. There is no way to brute force my password! Thanks LastPass!

  • Anonymous says:

    My Fail2Ban has blocked 4 IPs so far today! That is up from one or two per week.

  • Jason Nuss says:

    Great post LastPass! Our WordPress site has been hacked several times in the past couple months. We’ve updated all our passwords, as well as updated our LastPass entries. Hopefully we’ll be good to go.

    I posted a blog of our own on being hacked and what measures we took to make our site more secure, and to make sure we had regular backups scheduled in case of future hacks.


    Being hacked is a major pain, but your steps above can help big time! Backups are critical too!